From 82ff0c5852f29daa5f95d965fd50665581e7ea3c Mon Sep 17 00:00:00 2001
From: ᴜɴᴋɴᴡᴏɴ <u@gogs.io>
Date: Sun, 15 Mar 2020 18:58:56 +0800
Subject: email: check the owner when set as primary (#5988)

* email: check the owner when set as primary

Fixes a security issue reported by muxishuihan.

* Update CHANGELOG
---
 internal/db/user_mail.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'internal/db')

diff --git a/internal/db/user_mail.go b/internal/db/user_mail.go
index 440de084..37f0c2c0 100644
--- a/internal/db/user_mail.go
+++ b/internal/db/user_mail.go
@@ -160,7 +160,7 @@ func DeleteEmailAddresses(emails []*EmailAddress) (err error) {
 	return nil
 }
 
-func MakeEmailPrimary(email *EmailAddress) error {
+func MakeEmailPrimary(userID int64, email *EmailAddress) error {
 	has, err := x.Get(email)
 	if err != nil {
 		return err
@@ -168,6 +168,10 @@ func MakeEmailPrimary(email *EmailAddress) error {
 		return errors.EmailNotFound{Email: email.Email}
 	}
 
+	if email.UID != userID {
+		return errors.New("not the owner of the email")
+	}
+
 	if !email.IsActivated {
 		return errors.EmailNotVerified{Email: email.Email}
 	}
-- 
cgit v1.2.3